DoS subsystem should compare IPv6 /64
s7r writes:
Our internal DoS defense subsystem should also treat prefixes instead of addresses, because right now with a client with a /64 public IPv6 prefix assigned to it I could hammer via IPv6 guards without triggering the DoS defense.
https://lists.torproject.org/pipermail/tor-dev/2020-February/014144.html
We could make this change by:
- only putting the first /64 of each IPv6 address in the filter list, and
- only checking the first /64 of each new IPv6 connection